Creating Whitelists


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Printer Friendly Page

MineMeld aggregator nodes support whitelists. If an indicator is on a whitelist, the aggregator nodes will not send matching indicators to downstream nodes. Whitelists can also be shared by multiple aggregators.


Aggregator nodes created using stdlib prototypes (stdlib.aggregatorDomain, stdlib.aggregatorURL, stdlib.aggregatorIPv4Generic, stdlib.aggregatorIPv4Outbound, stdlib.aggregatorIPv4Inbound) will whitelist indicators generated by Miner nodes whose name starts with the prefix wl (lowercase).


In the following example, a whitelist Miner will be created for an IPv4 aggregator node.


1. Creating a static whitelist node

In CONFIG, click + to add a new node. Specify a name starting with "wl" and select stdlib.listIPv4Generic as prototype. Enable Output and then press OK.


MineMeld Whitelist Add Node.png


2. Connecting the whitelist to the aggregator

In CONFIG, click on the INPUTS field of the selected aggregator. In the dialog add the new whitelist node to the list of INPUTS.

MineMeld Whitelist inboudaggregator.png


3. Commit the config

Just press COMMIT in the CONFIG page.


4. Adding indicators to the whitelist

In NODES, click on the new whitelist node and select INDICATORS in the menu on the left.

MineMeld Whitelist wlmywhitelist.png


Click + to add new indicators. Pressing OK will automatically save the indicator and the list. It could take up to 1 minute for the new indicator to be pushed downstream to the aggregator node.

MineMeld Whitelist Add IPv4 Indicator.png


Tags (3)

What is the significance of the indicator "share level" in this example.  Does "red" impact the ability of the processor node to share it with numerous ouput nodes?

Hi Claudec,

technically share_level is just an additional attribute of indicators. You can use share_level to tag indicators that should be kept confidential and not shared with others. Enforcement of share_level can be done using node input filters. Example: feedHCGreen prototype accepts only indicators with share_level green. Ref:

Is it possible to create a white list from an IPs address file?

Hi @spssspss, that's possible. Would you mind opening  a new discussion under MineMeld Discussions ? I will give you full details there. Thanks !


I'm dealing with a problem in whitelists.

Following the steps described here, doesn't matter the time I wait, the IP inserted in my wlWhiteList node never is excluded from the IP list in the feed node.


The same occours for domains. I have a node called wlDomain. The domain never is removed from the list in my feed node. I don't know if it is a problem with the aggegator or the miner.


I noted that the whitelist miner for domains doesn't have the camp "Direction". Is it ok?


Thank you


   danilo.souza I am also experincing the same thing as you. No matter the wl miner I create, the ips included are still being picked up by the inboundfeedhc and sent to my firewall. I have tried various wl miners and different directions (or no direction). I have my new miner added to the inboundaggreator and waited for over a day. When I check my EDL on the firewall the ips in question are still present, because they are still present in the Output node. 


Did you ever figure this out or get an answer. I know I am late to the party, but I just stood Minemeld up last week. 





Hi @ch199soprano


Unfortunately not. I "whitelisted" the IP through Panorama. You have the option to create exceptions there (Objects->External Dynamic Lists->"Your List"->List Entries and Exceptions).


But It is not instantaneous. This can take up to one hour (the interval of time the Firewall takes to accomplish the autocommit). 


Best Regards

Thanks, I will keep at it. unfortunately we are not using Panaorama so I would hae to Commit excpetions on the firewall which sort of takes away from the whole minmeld setup. Thanks for the response. 





Is there a way using whitelist for the oposite propose, i mean add indicators to an output?


Best Regards,


Adélio Moreira




I would like to know this as well.  It appears that the wl - indication works exactly opposite of what you would expect in this scenario?

Version history
Revision #:
2 of 2
Last update:
‎09-09-2019 10:03 AM
Updated by: